Developers of the Content Management System (CMS) Drupal have released several security updates for a most critical vulnerability (CVE-2018-7600). They advise you to update the CMS as soon as possible. If this does not happen, attackers should be able to completely take over websites built with Drupal 7.x and 8.x. Of these, according to the developers more than one million pages are threatened. Drupal assures that there are currently no attacks. But they also warn that an exploit is likely to be comparatively easy to develop. So attacks could start in the near future. Issues 7.58 and 8.5.1 are hedged. If you are not able to update this at the moment, you can alternatively use a patch that the developers link to in their security warning. The gap is obviously so serious that Drupal even provides security updates for version 8.3.x and 8.4.x, which are no longer in support. Here are the secured issues 8.3.9 and 8.4.6 ready. Also Drupal 6 and 8.2.x are threatened. Anyone who uses one of these outdated versions must update to a current one, the developers advise. For Drupal 6 there is an unofficial patch.
In a FAQ to the gap is that an attack should be initiated by the sole visit of a vulnerable website. No special user rights would be needed for this. According to Drupal, the vulnerability is at the heart of the CMS and allows it to execute malicious code. Attackers should be able to modify and delete all data on the website. A successfully attacked site is considered completely compromised, the developers warn. Further details on the attack scenario Drupal holds back due to the high risk of attack.